Re: RFC: Going the LDAP/Kerberos way with NetBSD.

["matthew sporleder" <msporleder%gmail.com@localhost>]

On Tue, Apr 29, 2008 at 11:16 AM, Anders Magnusson 
<ragge%ludd.ltu.se@localhost> wrote:
> After Luke's mail on integrating OpenLDAP, I think it may be a good time to
> re-think how NetBSD works
>  in both stand-alone and small network environment. I have some ideas here,
> please comment on them
>  for things I have missed :-)
>
>  Today:
>  - NetBSD has a few databases in /etc used in a standalone environment, but
> most stuff are in text files.
>   For small networks, there is YP which provides a rudimentary directory
> service.  YP today starts
>   to be quite outdated; not especially secure and do not necessarily have
> the capabilities wanted.
>   Also, there are fewer and fewer other sites using it.
>
>  Wanted environment:
>  - A default installation that can work as a good standalone machine.
>   From this position it should be simple to make it server for a few
> machines, to join it to an environment
>   of other NetBSD machines or machines with other OSes.
>
>  Idea:
>  - NetBSD should have an infrastructure primary based on LDAP for directory
> services and Kerberos
>   for authentication, which is used in all environments as feasible.  Let
> the {s}pwd.db stuff die and
>   retire ypserv.
>
>  ...so, that sounds good, but how?
>
>  Setting up OpenLDAP is a quite complex task, it requires understanding of
> how LDAP works, how
>  the security policies should be, config of backends, certificates etc.
> Even though it may be possible
>  to setup a reasonable default configuration, I doubt it is good to require
> people trying/using NetBSD
>  to have to deal with it. LDAP is not as "lightweight" as required for this.
>
>  So, I went the other way and wrote a small LDAP server implementation, just
> to see how simple it
>  can be if all bells and whistles are removed.  And my prototype is small
> :-)
>  To summary up (so that the mail do not get too long and people do not care
> to read it), I think
>  something like this:
>
>  - Deliver NetBSD with my small LDAP server, which can be a daemon that
> always runs on the machine.
>   Let pwd_mkdb et al write the stuff directly into the LDAP database.  (I
> assume that passwd can generate
>   the Kerberos encryption keys as well, for eventual future kdc use?)  Have
> a command similar to ypmake
>   that put groups etc.  in the LDAP directory as well.  This is the default
> config for a newly-installed machine.
>
>  - If the machine is supposed to be used as a server in a small network,
> just run e.g. ypinit -s, which asks
>   questions about Kerberos realm, populates LDAP with the required KDC keys
> and starts the KDC.
>
>  - If it is supposed to be a client in a NetBSD network, just run like
> ypinit -c <servername> which will
>   fetch the config out of the LDAP and generate host keys for the target
> machine.  Quite simple :-)
>
>  And, if someone wants to use more fancy features in an LDAP server, install
> OpenLDAP or iPlanet.
>  It should be trivial to just switch over.
>
>  Now, after a much too long mail, comments please? :-)
>


These are some pretty big changes.  It might be easier to implement as
a minimal openldap backend (maybe just improving slapd-passwd) and
then pushing for netbsd to include slapd with just that backend
enabled.  This would allow you to ship a very simple slapd.conf which
pointed at the local passwd, group, etc files and you have an instant
replacement for NIS working on the same trusted infrastructure (text
files).  You could even have slapd listen on ldapi:// (ldap over unix
domain socket) for local-only queries.